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Author's Abstract 



A two-process algorithm is shown to be equivalent to an iV-process one, 
illustrating the insubstantiahty of processes. A completely formal equiva- 
lence proof in TLA (the Temporal Logic of Actions) is sketched. 
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1 Introduction 



Processes are often taken to be the fundamental building blocks of concur- 
rency. A concurrent algorithm is traditionally represented as the composi- 
tion of processes. We show by an example that processes are an artifact 
of how an algorithm is represented. The difference between a two-process 
representation and a four-process representation of the same algorithm is no 
more fundamental than the difference between 2 -|- 2 and 1 -|- 1 -|- 1 -|- 1. 

Our example is a fifo ring buffer, pictured in Figure 1. The ith input 
value received on channel in is stored in buf[i — l mod N], until it is sent on 
channel out. Input and output may occur concurrently, but input is enabled 
only when the buffer is not full, and output is enabled only when the buffer 
is not empty. 

Figure 2 shows a representation of the ring buffer as a two-process pro- 
gram in a CSP-like language [2]. The variables p and g record the number 
of values received on channel in by the Receiver process and sent on channel 
out by the Sender process, respectively. Declaring p and g to be internal 
means that their values are not externally visible, so a compiler is free to 
implement them any way it can, or to eliminate them entirely. 

The intuitive meaning of this program should be clear to readers ac- 
quainted with CSP. We will not attempt to give a rigorous meaning to the 
program text. Programming languages evolved as a method of describing 
algorithms to compilers, not as a method for reasoning about them. We do 
not know how to write a completely formal proof that two programming- 
language representations of the ring buffer are equivalent. In Section 2, we 
represent the program formally in TLA, the Temporal Logic of Actions [5]. 
Figure 2 will serve only as an intuitive description of the TLA formula. 

Figure 3 shows another representation of the ring buffer, where IsNext 



in 




out 


hum 




huf[l\ 








huf[N-l\ 







Figure 1: A ring buffer. 
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in, out : channel of Value 

buf array 0 . . iV — 1 of Value 

p, g : internal Natural initially 0 




g := g + 1 



Figure 2: The ring buffer, represented in a CSP-like language. 



in, out : channel of Value 
buf array 0 . . N — 1 of Value 

pp, gg : internal array 0 . . N — 1 of {0, f} initially 0 

Buffer{i : 0..iV-f) :: 

empty: IsNext{pp,i) — ?■ inl buf[i\. 



* 



full: IsNext{gg,i) 



:= + mod 2 ; 

—7- out ! buf[i]; 

99[i] ■= + rnod2 



Figure 3: Another representation of the ring buffer. 
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Figure 4: The correspondence between values of pp and p, for iV = 4. 
is defined by 

IsNext{r, i) = if « = 0 then r[0] = r[N -I] 

else r[«] / r[« — f] 

This is as an iV-process program; the «th process, Bujfer{i), reads and writes 
buf[i]. Variables p and g of the two-process program are replaced by arrays 
pp and gg of bits. Array elements pp[i] and gg[i] are read and written by 
process Bujfer{i), and are read by process Buffer{i + 1 mod N). 

The two programs are equivalent because the values assumed by pp and 
gg in the iV-process program correspond directly to the values assumed by 
p and g in the two-process one. The correspondence between pp and p is 
shown in Figure 4 for iV = 4. A boxed number in the pp[i\ column indicates 
that IsNext{pp, i) equals TRUE. The correspondence between gg and g is 
the same. 

It is not hard to argue informally that the two programs are equivalent. 
Formalizing this argument should be as straightforward as proving formally 
that 222 + 222 equals But, even if straightforward, 

a completely formal proof of either result from first principles is not trivial. 
In Section 3, we sketch a formal TLA proof that the two versions of the ring 
buffer are equivalent. 

2 The Algorithm in TLA 

We now write the TLA formulas that describe the programs of Figures 
2 and 3. The program texts do not tell us what liveness properties are 
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assumed. To make the example more interesting, we assume no liveness 
properties for sending values on the in channel, but we require that every 
value received in the buffer be eventually sent on the out channel. For the 
two-process program, this means assuming fairness for the Sender, but not 
for the Receiver. For the iV-process program, it means assuming fairness for 
the full action of each process, but not for the empty action. 

We give an interleaving representation of the ring buffer — one in which 
sending and receiving are represented by distinct atomic actions. In Sec- 
tion 4, we describe how the specifications and proofs could be written in 
terms of a noninterleaving representation that allows values to be sent and 
received simultaneously. 

We use the following notation: A/" is the set of natural numbers; is the 
set {0, . . ., m — 1}; square brackets denote function application; [S — ?■ T] is 
the set of functions with domain S and range a subset of T; [i £ S e] is the 
function / with domain S such that f[i] = e for all i G S; [f EXCEPT ! [i] = e] 
is the function / that is the same as / except f[i] = e; angle brackets enclose 
tuples; t[i] is the ith component of tuple t, so {v, w)[2] = w; and 5'\r is 
the set of elements in S that are not in T. 

A TLA formula is an assertion about behaviors, which are sequences 
of states. Steps (pairs of successive states) in a behavior are described 
by actions, which are boolean- valued expressions containing primed and 
unprimed variables; unprimed variables refer to the old state and primed 
variables refer to the new state. To describe CSP-style communication, we 
represent a channel by a variable and represent the sending of a value by a 
change to that variable. We define Channel{ V) to be the set of legal values 
of a channel of type V , and Comm{v, c) to be the action that represents 
communicating a value v on channel c. The actual definitions, given below, 
are irrelevant; we require only that a Comm{v, c) action changes c, if f G V 
and c G Channel { V) . 

Channel {V) = V X Z2 
Comm{v,c) = c' = {v,l — c[2]) 

The TLA formula II2 that represents the two-process program is defined in 
Figure 5. We now explain that definition. 

A list of expressions bulleted by A denotes their conjunction; indentation 
is used to eliminate parentheses. If formula F is written as such a list, then 
F.i is its ith conjunct — for example, Rcv.2 is p' = p-\-l. A similar convention 
is used for disjunctions. 
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Type2 = /\ p, g ^ M 

A huf e [Zn Value] 

A in, out G Channel ( Value) 
UnB{i) ^ \j eZN\{i}^bum] 
Rev = A p - g ^ N 

A p' = p-\-l 

A Comm{buf'[p mod N], in) 
A UNCHANGED {g, out , UnB{p mod N) ) 
Snd = A p — g ^ 0 
Ag' = g + 1 

A Comm{buf[g mod N], out) 

A UNCHANGED {p,buf,in) 
$2 = A aType2 

A (p = 0) A □[i?cu](p^6„/^„) 

A (5 = 0) A □[5'nrf](g,„„j) A WF(g,„„j)(5'nrf) 
n2 = 3p,g : <^>2 

Figure 5: The TLA formula 112 representing the two-process program. 



The state predicate Type2 asserts that each variable has the correct 
type. (The array variable buf of the programming language representation 
becomes a variable whose value is a function.) The type declarations of the 
two-process program are represented by the TLA formula OType2, which 
asserts that Type2 equals TRUE in all states of the behavior. 

Action Snd describes a step of the Sender process; it can occur only 
when p — g ^ 0, and it increments g by 1, communicates buf[g mod N] on 
channel out, and leaves p, buf , and in unchanged (unchanged v is defined 
to equal v' = v). Similarly, action Rev describes a step of the Receiver 
process. The conjunct Rev. 3 asserts that the value buf'[p mod N] (the new 
value of buf[p mod N]) is communicated on channel out. The state function 
UnB{i) is defined so that, if it is unchanged, then buf[j] is unchanged for 
all j i. Thus, Rev asserts that the new value of buf[p mod N] is the 
value communicated on channel in, and that buf[j] remains unchanged for 
all j ^ p mod N . 

Formula $2.2 describes the Receiver process. It asserts that p is initially 
0, and that every step is a Rev step or leaves p, buf , and in unchanged {[A]y 
is defined to equal Ay {v' = v)). Steps that leave p, buf , and in unchanged 
represent steps of the Receiver's environment — either steps of the Sender 
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or steps of the entire program's environment. The conjunct <i>2.3 similarly 
represents the Sender process. The formula WF^^ q^j^ (S'nc?) asserts weak 
fairness of the Snd action. In general, WFt,(^) asserts that if action {A)y 
(defined to equal A /\{v' ^ v)) remains continuously enabled, then an {A)y 
step must eventually occur. 

Formula <i>2 is the conjunction of the specifications of the two processes 
with the formula asserting type correctness. It describes the two-process 
program with p and q visible. The complete program specification 112 is 
obtained by hiding p and q. In logic, hiding means existential quantification; 
in temporal logic, fiexible variables (distinct from rigid variables like N) are 
hidden with the temporal existential quantifier 3 . 

The conjunct □ Type2 of <I'2 makes type correctness an explicit part of the 
specification. We put type-correctness assumptions in our specifications to 
make them as much like Figures 2 and 3 as possible. However, it is usually 
better to let type correctness be a consequence of the specification. We 
could rewrite <I'2 as follows to eliminate the conjunct OType2. The conjunct 
OType2A is already redundant because it is implied by <I'2.2 A <I'2.3. We can 
eliminate OType2.3 by making Type2.3 part of the initial condition, since 
rj/j9e2.3 A <I'2.2 A <I'2.3 implies OType2.3. We can eliminate OType2.2 in the 
same way, if we modify Rev so it leaves the domain of buf unchanged. 

The TLA formula IIn that represents the iV-process program is defined 
in Figure 6. There are two things in this definition that merit further ex- 
planation. First, we introduce an array etl to represent the control state. 
The value of etl[i] equals "empty" if control in process Buffer{i) is at the 
point labeled empty ^ and it equals "full" if control is at full. Second, we 
introduce an action NotProc{i) that has no obvious counterpart in Figure 3 
or in 112. The specifications of the two processes in Figure 2 are especially 
simple because each variable is changed by an action of only one of the 
processes. For example, a step of the Sender^s environment can be char- 
acterized as any step that leaves g and out unchanged. We can think of 
g and out as belonging to the Sender. In the iV-process program, 
gg[i], and ctl[i] belong to Buffer{i). However, in and out don't belong to 
any single process; they can be changed by a step of any of the N pro- 
cesses. The variable in belongs to Buffer{i) only when IsNext{pp, i) equals 
TRUE, and out belongs to Buffer{i) only when IsNext{gg, i) equals TRUE. 
Action NotProc{i) characterizes steps of Bujfer{i)^s environment, which is 
allowed to change in when IsNext{pp, i) equals FALSE, and to change out 
when IsNext{gg, i) equals FALSE. The subscript in □[. . ^yarN allows steps of 
the entire program's environment that leave all the variables unchanged. It 
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TypeN 



Fill{i) 



Empty [i] 



NotProc{i) 



varN 



A pp.gg e [Zn ^2] 

A ctl e [Zn {"empty", "full"}] 

A buf e [Zn Value] 
A in, out G Channel ( Value) 
A ctl[i] = "empty" 
A IsNext{pp, i) 

A ctl' = [ctl EXCEPT ![«•] = "full"] 

A pp' = [pp EXCEPT ![«] = 1 - pp[i]] 

A Comm{buf'[i], in) 

A UNCHANGED {gg,out, UnB{i)) 

A ctl[i] = "full" 

A IsNext{gg, i) 

A ctl' = [ctl EXCEPT l[i] = "empty"] 

A gg' = [gg = except l[i] = 1 - gg[i]] 

A Comm{buf[i], out) 

A UNCHANGED {pp, in, buf) 

A UNCHANGED {pp[i], gg[i], ctl[i], buf[i]) 

A IsNext{pp, i) =^ UNCHANGED in 

A IsNext{gg, i) =^ UNCHANGED out 

{pp, gg, ctl, buf, in, out) 

A n TypeN 

/\y i e Zn : /\ {pp[i] = gg[i] = 0) A {ctl[i] = "empty") 
A a[Fill{i) V Empty (i) V NotProc{i)]^arN 
A WF^arN {Empty (i)) 

3pp,gg, ctl : $n 



Figure 6: The TLA formula IIn representing the iV-process program. 
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is semantically superfluous, since NotProc{i) already allows such steps, but 
the syntax of TLA requires some subscript. 

3 The Proof 

We now give a hierarchically structured proof that 112 and Hn are equiva- 
lent [4]. The proof is completely formal, meaning that each step is a mathe- 
matical formula. English is used only to explain the low-level reasoning. The 
entire proof could be carried down to a level at which each step follows from 
the simple application of formal rules, but such a detailed proof is more suit- 
able for machine checking than human reading. Our complete proof, with 
"Q.E.D." steps and low-level reasoning omitted, appears in Appendix A. 

The correctness of the algorithm rests on simple properties of integers 
and of the mod operator. We need the following lemma, where the bit array 
Rep{m) used to represent the integer m is deflned by 

Rep{m) = [i G i-^ if i < m mod 2N < i + N then 1 else 0] 

The lemma is proved in Appendix B. We assume throughout that A is a 
positive integer. 

Lemma 1 If m £ M and i G Zj\[, then 

1. IsNext{Rep{m) , i) = {i = m mod N) 

2. IsNext{Rep{m), i) 

Rep{m + 1) = [Rep{m) EXCEPT ![«] = 1 - Rep{m)[i'\\ 

For temporal reasoning, we use the following TLA rules from Figure 5 of 
[5]. (This version of TLA2 generalizes the one in [5].) 

STL2. hUF ^ F STL3. h UUF = OF 

STL4. F^G STL5. \- a(F A G) = (aF)A(aG) 

OF => □(? 

INVl. lA[N]f^r INV2. h □/ ^ (^[N]f = □[#A/A/']/) 

/ A □[#]/ => □/ 

TLA2. P A {WieS : [A,]f.) => Q A[B]g 

□ P A (Vz e 5 : a[A,]f.) => nQAa[B]g 

The high-level structure of the proof is shown in Figure 7. The proofs of 
steps 1-3, and the deflnitions of <i>2, ^I'n, ^^"^ *^N' given in the 
following sections. 
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Theorem 112 = Hn 



la. 

b. 
2a. 

b. 
3. 



$2 



3pp,gg, ctl 

3p,g 



Q.E.D. 

Proof: 112 



3p,g : $^ 

3p,g,pp,gg, ctl 
3p,g,pp,gg, ctl 
3pp,gg, ctl,p, q 
3pp,gg, ctl : $^ 



step la and the definition of 112 
step 2a 
step 3 
simple logic 
step 2b 

step lb and the definition of IIn 



Figure 7: The high-level structure of the proof. 



var2 



{P,9, buf, in, out) 
A aType2 
A (p = 0) A (5 = 0) 
A n[Rcv V 5'n(i]t,ar2 

A UTypeN 

A^ieZN : = = 0) A {ctl[i] = "empty'' 

A a[3 i e Zn ■■ FiU{i) V Empty {i)]yarN 
A^ieZN : WFyarN {Empty {{)) 



Figure 8: Formulas <i>2 and <i>J^. 



3.1 Step 1: Removing the Process Structure 

Formulas <i>2 and <i>J^ are defined in Figure 8. They can be thought of as 
uniprocess versions of the two algorithms. We obtained them by rewriting 
<i>2 and <i>N as formulas with a single next-state relation, instead of as the 
conjunction of processes. 

Step la is proved as follows. 

la. $2 = $2 

la.l. Type2 => {[Rcv]^p^buf,in) A [Snd]^g^out) = [Rev V Snd]yar2) 
Proof: Given below. 
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la. 2. DType2 => (□[-Rct)](p_5„/_„) A 0[Snd](^g^out) = ^[Rcv V Snd]yar2) 

Proof: Step la.l and rule TLA2. 
la.3. Q.E.D. 

Proof: Step la. 2 and the definitions of $2 and $2- 
Step la.l is proved by showing that Type2 implies 

= by definition of [A]y 

A Rev V {{p, buf , m)' = {p, buf , m)) 

A Snd V {{g, out)' = {g, out)) 
= by propositional logic 

V Rev A ((fif, out)' = {g, out)) 

V Snd A {{p, buf, m)' = {p, buf, m)) 

V Rev A Snd 

V {{g, out)' = {g, out)) A {{p, buf, m)' = {p, buf, m)) 

= V Rev Rev implies (g, out)' = (g, out) 

V Snd Snd implies (p, buf, in)' = {p, buf, in) 

V FALSE Type2 A Rev implies p' ^ p, and Snd implies p' = p 

V var2' = var2 (vi, . . . , Vm)' = (vi, . . . , Vm) iS {v'l = vi) A . . . A {v'm = Vm) 
= [Rev V Snd]yar2 by definition of [A]y 

All of the nontemporal steps in our proof can be reduced to this kind of 
algebraic manipulation. From now on, we just sketch such proofs and leave 
the detailed calculations to the reader. 

The proof of step lb is similar to that of step la, but it is a bit more 
difficult because it requires an invariant InvN , which asserts that the arrays 
pp and gg are representations of natural numbers. 

InvN = {3 m £ M : pp = Rep{m)) A (3 m G A/" : gg = Rep{m)) 

lb. $N = n 

lb. la. $N => ainvN 
b. $^ => a InvN 

Proof: Described below, 
lb. 2. TypeN A InvN => 

[3 I E Zm ■ Fill(i) V Empty {t)]yarN = 

V I G Zff : [FiU{i) V Empty{i) V NotProe{i)]yarN 
Proof: If « 7^ j, then TypeN implies that Fill{i) A FiU{j), Fmpty{i) A 
Fmpty{j), and FiU{i) AFmpty{j) are all false; and TypeN A InvN implies 
Ftll[t) NotProe{j) and Fmpty{i) NotProe{j). By Lemma 1.1, 
TypeN A InvN implies (V « G Zff : NotProe[t)) = (varN' = varN). 
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lb. 3. □ TypeN A OlnvN => 

□ [3 « e Zj^ : Fill(i) V Empty {t)]yarN = 

V« e Zjv : V Empty(t) V #oi_Proc(«)]t,ariV 

Proof: Step lb. 2.1 and rule TLA2. 
lb.4 Q.E.D. 

Proof: Steps Ib.l and lb. 3 and the definitions of $n and 

Steps lb. la and lb. lb are standard invariance properties; lb. la is proved as 
follows. 

lb. la $N => ainvN 

Ib.la.l TypeN A (V « £ Zjv : pp[z] = gg[z] = 0) ^ InvN 

Proof: Rep{0) = [i e Zn ^ 0] 
lb.la.2 A InvN 

A [TypeN A (V « £ Zjv : FtU(t) V Empty(t) V NotProc(t))]yarN 

=> InvN' 

lb.la.2.1. InvN A TypeN A (« £ Zw) A ^/(z) ^ InvN' 
lb.la.2. 2. InvN A Tt/peTV A (« £ Zw) A Empty{t) => InvN' 
lb.la.2. 3. InvN A TypeN A (V « £ Zjv : #oi_Proc(«)) ^ InvN' 
lb. la. 2. 4. InvN A (t)ar#' = varN) => InvN' 
lb.la.2. 5. Q.E.D. 

Proof: Steps lb.la.2.1-lb.la.2.4. 

lb.la.3. A TypeN A {y I £ Zn : pp[i] = gg[i] = 0) 
A □ TypeN 

A □[V « e Zjv : V Empty(t) V NotProc(t)]yarN 

UlnvN 

Proof: Steps Ib.la.l and lb.la.2 and rules INVl and INV2. 
lb.la.4. Q.E.D. 

Proof: Step lb.la.3 and rule TLA2, since (V t : [Ai]y) = [V « : Ai]y. 

Steps lb.la.2.1 and lb. la. 2. 2 are proved using Lemma 1.2; steps lb. la. 2. 3 
and lb. la. 2. 4 follow because their hypotheses imply pp' = pp and gg' = gg. 
As indicated in the appendix, the proof of step lb. lb is similar. 

3.2 Step 2: Adding History Variables 

Formulas <i>2 and <i>^ are defined in Figure 9, which also defines their safety 
parts, <i>2^ and ■ We obtained <i>2 by adding pp^ gg, and ctl as history 
variables to (J""; and we obtained <i>^ by adding p and g as history variables 
to <i>j^. In general, adding an auxiliary variable a to a formula F means 
writing a formula such that F = 3a : F". A history variable is an 
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Init = A p = g = 0 

/\ pp = gg = [i ^ Zn ^0] 
A ctl = [i £ Zn empty] 

Type = Type2 A TypeN 

var = {pp, gg, ctl, p, g,buf, in, out) 



HRcv 



HSnd 



,hS 



= A i?cu 

A pp' = EXCEPT l[p mod iV] : 
A ctl' = [ctl EXCEPT l[p mod N] 
A UNCHANGED 

= A Snd 

A = [gg EXCEPT ![^ mod N] - 
A ctl' = [ctl EXCEPT ![^ mod N] 

A UNCHANGED pp 
A □ Type 
A Init 

A □[i?i?cu V HSnd]yar 



1 — mod N]] 
: "full"] 



1 - mod N]] 
-- "empty"] 



HFill{i) = A Fill{i) 

A p' = p-\-l 

A UNCHANGED g 
HEmpty{i) = A Empty{i) 

Ag' = g + 1 

A UNCHANGED p 

A Init 

A a[3 i e Zn : IIFill{i) V IIEmpty{i)]y 
$h A $hS A (V« G Zjv : WF™,jv(^mp^2/(«))) 

Figure 9: Formulas <i>2 and <i>^. 
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auxiliary variable that records information from previous states. It is added 
by using the following lemma, which can be deduced from the results in [1]. 
Step 2 is easily proved by repeated application of this lemma. 

Lemma 2 (History Variable) If h and h' do not occur in Init, Ai, Bj, 
V, or f, and h' does not occur in gi, for all i £ I and j G J, then 

Init A n[3i e I : A,]y A (Vj G J : WF„(Sj)) 
= 3h : A Init A {h = f) 

A Dpi G / : A A(/j' = 5,)](A,.> 
A Vj G J : WF„(Sj) 

3.3 Step 3: Equivalence of $^ and $^ 

In the two-process algorithm, p and g are the actual internal variables, while 
pp, gg, and ctl are history variables. The situation is reversed in the N- 
process algorithm. Step 3 involves showing that the history variables of one 
algorithm behave like the internal variables of the other. Its proof uses the 
following formulas, where Inv will be shown to be an invariant of both ^2 
and <I>^. 

IsFull{g, p, i) = 3 m ^ M : {g < m < p) A {i = m mod N) 

Inv = A pp = Rep{p) 
A gg = Rep{g) 

A ctl = [i G ^jv if I.sFull{g,p, i) then "full" else "empty"] 

AO<p-g<N 

The high-level structure of the proof is: 

3. <I>h = <Dh 

3.1a. Type A Inv => {HRcv = 3i e Zn : HFtll{t)) 
b. Type A Inv (HSnd = 3 « G Zff : IIEmpty{i)) 

3.2. [Type Mnv A [HRcv y HSnd)]yar = 

[Type A Inv A{3i ^Zn : IIFill{i) V IIFmpty{i))]yar 

3.3a. => ninv 
b. Ulnv 

3.4. <^f- = 

3.5. D/n^ A$hs ^ (WF(g,„„t)(S'nrf) = (V z G Zm ■.WF,arN{Fmpty{z)))) 

3.6. Q.E.D. 

Proof: Immediate from steps 3.3-3.5. 
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Steps 3.1 and 3.2 are (nontemporal) action formulas. They make it intu- 
itively clear why the two transformed formulas are equivalent. Step 3.1a is 
proved as follows. 

3.1a. Type A Inv => {HRcv = 3t ^ Zn : HFill{i)) 

3.1a.l Type A Inv => (HRcv = HFtll{p mod N)) 

S.la.l.l. Type A Inv ^ {{p - g ^ N) = {ctl[p mod N] = "empty")) 
Proof: Arithmetic reasoning and the definition of IsFull. 
3. la. 1.2. Type A Inv IsNext[pp,p mod N) 

Proof: Lemma 1.1. 
3.1a.l.3. Q.E.D. 

Proof: Steps 3. la. 1.1 and 3. la. 1.2, and the definitions of 
HRcv and HFill. 

3.1a.2 Type A Inv => {HFill{p mod N) = (3 « £ Zjv : HFill{i)) 

Proof: By Lemma 1.1, Type A Inv implies IsNext[pp,p mod N) and 
-iIsNext[pp, t), if t G Zii and t ^ (p mod N). 

3.1a.3 Q.E.D. 

Proof: Steps 3.1a.l and 3. la. 2. 

As indicated in the appendix, the proof of 3.1b is analogous. Step 3.2 follows 
easily from step 3.1. 

Step 3.3 asserts that Inv is an invariant of both formulas; its proof is a 
standard invariance argument. 

3.3a. => DInv 
b. => a Inv 

3.3.1. Imt Inv 

Proof: Rep{0) equals [i £ Zff i-^ 0] and IsFuU{0,0, i) = false, for 
all I G Zff. 

3.3.2a. Inv A [Type A (HRcv V HSnd)]yar => Inv' 

b. Inv A [Type A (3 « £ Zjv : HFill{i) V HFmpty{i))]yar => Inv' 

Proof: Given below. 
3.3.3. Q.E.D. 

Proof: Steps 3.3.1 and 3.3.2, and rules INVl and INV2. 

Step 3.3.2 asserts that the next-state actions leave Inv invariant. The proof 
of 3.3.2a is: 

3.3.2a. Inv A [Type A (HRcv V HSnd)]yar => Inv' 
3.3.2a. 1 Inv A Type A HRcv Inv' 

Proof: Assume Inv A Type A HRcv. Then Inv. I' is immediate 
because p' = p and pp' = pp; Inv.2' follows from Lemma 1.2; 
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InvA' follows from InvA, since HRcv implies p' = p -\- 1, g' = g , 
and p — g z/z N; and Inv.3' holds because 
IsFull[g' , p' , t) = by definition of HRcv 
IsFull[g, p -\- l,t) 
= by definition of IsFull 

BmGTV : ((jf<m<|) + l)A(« = m mod N) 
= by Rev. I and InvA 

if I = p mod N then TRUE else IsFull[g,p, t) 

3.3.2a.2 Inv A Fype A HSnd => Inv' 

Proof: Similar to the proof of 3.3.2a.l. 
3. 3. 2a. 3 Inv A [var' = var) Inv' 

Proof: Immediate. 
3.3.2a.4 Q.E.D. 

Proof: Steps 3.3.2a.l-3.3.2a.3. 

Step 3.3.2b follows from steps 3.3.2a and 3.2. This completes the proof of 
step 3.3. 

Steps 3.4 and 3.5, assert the equivalence of the safety and liveness parts 
of the formulas, respectively. Step 3.4 follows from 3.3 and 

□ Type A □ Inv =?- 

a[HRcv V HSnd]yar = Dp « G -Hw : HFiU{i) V HEmpty{i)]^ar 

which follows from step 3.2 and rule TLA2. Step 3.5 has the following 
high-level proof. 

3.5. D/n^A^hs => (WF(g,„„t)(S'nrf) = Ci z e Zm ■.WF,arN{Empty{z)))) 

3.5.1. DInv A <I>^^ => 

(V« e Zm ■.WFyarN{Empty{i))) = WFyarNi^t e Zm : Fmpty{t)) 

3.5.2. n Inv ^n Fype ^n[IIRcvy IISnd]yar => 

varN 

(3 I e Zm ■■ Fm.pty{i)) 

3.5.3. Q.E.D. 

Proof: Steps 3.5.1 and 3.5.2. 

We first consider step 3.5.1. When writing TLA specifications, one often has 
to choose between asserting fairness of V ... V A.^ and asserting fairness 
of each action Ai. The choice becomes a matter of taste when the resulting 
specifications are equivalent. This is the case if, whenever one of the Ai 
becomes enabled, a step of no other Aj can occur before the next Ai step. 
For weak fairness, the equivalence is a consequence of the following result, 
which can be derived from the TLA proof rules of [5]. 
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Lemma 3 If 

Enabled (yl,)t, A n/nu A □[A/' A -lyl^-jt, ^ d-iEnabled (yl^ )„ 
for all i,j G 5* with i / j, then 

ainv A □[A^]„ => (WF„(3i G S : A) = (V i G 5 : WF„(A))) 

We use this lemma to prove step 3.5.1. 

3.5.1. DInv A <I>^^ => 

(V « e Zjv : WYyarN{Empty(i))) = WF^arNi^ I e Zm ■■ Empty(i))) 

3.5.1.1. ^ Dp « e Zat : V Empty{t)]yarN 

Proof: TLA2, since HFill{i) => Fill{i) and HEmpty{i) => Empty (i). 

3.5.1.2. Ai eZN 

A Next{gg, i) 
A □(/nt) A Type) 

A □[(3 J e Zat : FzU{j) V Empty{j)) A -£mpiy(«)]„„rAr 
^ nNext{gg, i) 

Proof: By rules INVl and INV2, since 

Inv A Type A {Etll[j) V Empty{j)) A -iE'mpty[t) 
implies grgr' = grgf, for all t,j G Zjv. 

3.5.1.3. A GZAr)A(z^j) 

A Enabled {Empty {i))yarN 
A □(/nt) A Type) 

A □[(3 A; G : ^/(A;) W Empty [it)) A ^Empty{i)]yarN 

□-! Enabled {Empty {]))yarN 
Proof: Step 3.5.1.2 and rule STL4, since Enabled {Empty {i))yarN 
implies Next{gg, i), and Lemma 1.1 implies 

Inv A Type A Next{gg, i) -iNext[gg , j) 
for all t,j G Zii with t ^ j. 

3.5.1.4. Q.E.D. 

Proof: Steps 3.5.1.1 and 3.5.1.3, and Lemma 3. 

Finally, we prove 3.5.2, which completes the proof of the theorem. 

3.5.2. ninv AUType An[HRcvy HSncTlyar => 

varN 

(3 I e Zm ■■ Empty{i)) 
3.5.2.1. Inv A Type A [HRcv V HSnd]yar => 

{Snd)i^g^out) = {3i e Zm ■■ Empty{i)) 

varN 

Proof: By steps 3.1b and 3.2, since Inv A Type A [HRcv V IISnd]yar 
implies {Snd)i^g out) = HSnd, and 

Inv A Type A [3 « G : IIEill{i) V IIEmpty{i)]yar 
implies (3 t G 2jv : Empty[t))yarN = (3 « G 2jv : IIEmpty[t)). 
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3.5.2.2. ainv A □ Type A a[HRcv V HSnd]yar => 

varN 

Proof: Ulnv A □ Type A U[HRcv V HSnd]yar 

=> by 3.5.2.1 and rules STL5 and TLA2, since (A)v = ^[-^A]v 

0[-nSnd]^g^out) = 0[-n3z e Zff : Empty{i)]yarN 
=^ -^0[-nSnd]^g^out) = -'□h3« e Zff : Empty {i)]yarN 
=> by rules STL3, STL4, and STL5 

D^D[-nSnd]^g^out) = □-'□[-'3« e Zff : Empty {i)]yarN 

since O = -iD-i 

00^[-^Snd]^g^out) = nO-i^B « e Zff : Empty{i)]yarN 
since {A)y = -^[-^A]y 

00{Snd)(^g^out) = 00{3 I e Zm ■■ Empty{i))) 

varN 

3.5.2.3 ninv AUType A n[HRcv V HSnd]yar => 

□ O-i Enabled {Snd)(g out) = 

□ O-i Enabled (3 « e Zat : Empty {i)))yarN 
Proof: Rules STL2 (which implies E => OE), STL4, STL5, and 
TLA2, since by 3.5.2.1, Inv A Type A [HRcv V HSnd]yar implies 

Enabled {Snd)i^g out) = Enabled (3 « e Zat : Empty (i)))yarN 

3.5.2.4 Q.E.D. 

Proof: Steps 3.5.2.2 and 3.5.2.3, since WFt,(^) is defined to equal 
□ ^-.Enabled (^)t, V aO{A)y. 

4 Further Remarks 

We have proved the equivalence of two different representations of the ring 
buffer. This is not just an intellectual exercise; the ability to transform an 
algorithm into a completely different form is important for applying formal 
methods to real systems. Going from the two-process version to the N- 
process one reduces the internal state of each process from an unbounded 
number {p or q) to three bits qq[i], and ctl[i]). As explained in [3], 

such a transformation enables us to apply model checking to unbounded- 
state systems. 

In retrospect, it is not surprising that programs with different numbers 
of processes can be equivalent. Multiprocess programs are routinely exe- 
cuted on single-processor computers by interleaving the execution of their 
processes. The transformation of <i>2 and <i>N to <i>2 and <i>j^ can be viewed 
as a formal description of this interleaving. 

Using an interleaving representation makes the proof of equivalence a 
bit simpler, but it is not necessary. The equivalence of noninterleaving 
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representations can be proved as follows. Let RcvNI and SndNI be the ac- 
tions obtained from Rev and Snd by removing the UNCHANGED conjuncts 
and adding the conjunct UNCHANGED UnB{p mod N) to RcvNI. Replac- 
ing Rev and Snd with RcvNI and SndNI in the definition of 112 yields a 
noninterleaving representation of the two-process program. Similarly, we 
get a noninterleaving representation of the iV-process program by replacing 
FiU{i) and Empty{i) with actions FiUNI{i) and EmptyNi{i) that have no 
UNCHANGED conjuncts except the one for UnB{i). In the proof of equiva- 
lence, formula is changed by replacing its next-state action Rev V Snd 
with Rcvy Sndy {RcvNI A SndNI), and is changed by replacing its next- 
state action with 3i e Zn : FiU{i) V Empty (i) V {FiUNI{i) A EmptyNI{i)). 
Formulas and are obtained by adding history variables to the new 
versions of and ^J^. The proof of equivalence is the same as before, 
except we have to consider the next-state actions' extra disjuncts. These 
disjuncts represent the simultaneous sending and receiving of values. 

Indivisible state changes are an abstraction; executing an operation of a 
real program takes time. In TLA, we can represent the concurrent execution 
of program operations either as successive steps, or as a single step. Which 
representation we choose is a matter of convenience, not philosophy. We 
have found that interleaving representations are usually, but not always, 
more convenient than noninterleaving ones for reasoning about algorithms. 

A proof that two algorithms are equivalent can be turned into a deriva- 
tion of one algorithm from the other. Our proof yields the following deriva- 
tion, where each equivalence is obtained from the indicated proof step(s). 



n2 = 3p, g : $2 la 

= 3 p, q, pp, qq, ctl : ^2 2a 

= 3 p, q, pp, qq, ctl : <1'2 A □/nf 3.3a 

= 3 pp, qq, ctl, p, q : ^^AOlnv 3.4 and 3.5 

= 3 pp, qq, ctl, p, q : 3.3b 

= 3j9, g : $1^ 2b 

= 3p, q : ^'^ AOlnvN Ib.lb 

= 3p,q : <1>N A n/nuA lb. 3 

= Hn lb. la 



Our derivation uses rules of logic to rewrite formulas. In process algebra [6], 
analogous transformations are performed by applying algebraic laws. It 
would be interesting to compare a process-algebraic proof of equivalence of 
the two ring-buffer programs with our TLA proof. 
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A Proof of the Theorem 



Theorem 112 = Hn 

la. $2 = $2 

la.l. Type2 => {[Rcv]^p^buf,in) A [Snd]^g^out) = [Rev V Snd]yar2) 

la. 2. DType2 => {0[Rcv]^p^buf,in) A 0[Snd]^g^out) = ^[Rcv V Snd]yar2) 

lb. $N = n 

lb. la. $N ^ ainvN 

lb. la.l TypeTV A (Vz £ Zjv : pp[z] = gg[z] = 0) ^ /nt)# 
lb.la.2 A InvN 

A [TypeTV A (V « £ Zjv : ^/(z) V Empty(t) V #oi_Proc(«))]„„riV 

lb.la.3. A TypeN A (Vz £ : J3J3[«] = gg[i] = 0) 

A □ TypeN A □[V « £ Zjv : ^/(z) V Empty(t) V #oi_Proc(«)]t,ariV 

lb. lb. $^ ^ 

Ib.lb.l. TypeTV A (Vz £ Zjv : J3J3[«] = = 0) ^ InvN 
lb. lb. 2. A InvN 

A [TypeN A (3 « £ Zjv : ^/(z) V Empty{i)]yarN 

=> InvN' 

lb. lb. 3. A TypeN A (V« £ : J3J3[«] = gg[i] = 0) 

A □ TypeN A Dp « £ ZnFiII{i) V Empty{i)]yarN 
=> InvN' 

lb. 2. TypeTV A /nt)# ^ 

[3 « e Zat : Eill(i) V Empty {t)]yarN = 

V « G Zjv : [EiU{i) V Empty{i) V #oi_Proc(«)]t,arAr 
lb. 3. □ TypeTV A ^ 

□ [3 « e Zj^ : Eill(i) V Empty {t)]yarN = 

V« e Zjv : V Empty{i) V #oi_Proc(«)]t,ariV 

2a. $2 = "^PP^gg^ctl : $2 

b. = 3p,g : $h 
3. <Dh = <Dh 

3.1a. Type A Inv => (HRcv = 3ie Zm : HEill{i)) 

3. la.l Type A /nt) => {HRcv = HEtll{p mod N)) 

3. la.l. 1. Type A Inv ^ {{p - g ^ N) = {ctl[p mod N] = "empty")) 
3. la. 1.2. Type A Inv IsNext{pp, p mod #) 
3.1a.2 Type A Inv => {HEill{p mod #) = (3 « £ Zjv : HEill{i)) 
3.1b. Type A /nf (HSnd = 3 « G Zjv : IIEmpty{i)) 

3.1b.l Type A Inv (HSnd = IIEmpty{g mod #) 
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3. lb. 1.1. Type A Inv ^ {{p - g 0) = {ctl[g mod N] = "empty")) 
3. lb. 1.2. Type A Inv IsNext[gg , g mod N) 
3.1b.l Type A Inv {IIEmpty{p mod N) = (3 « G Zjv : IIEmpty{i)) 

3.2. [Type A Inv A (HRcv V HSnd)]yar = 

[Type A Inv A (3 « £ Zjv : IIFill{i) V IIEmpty{i))]yar 
3.3a. ^ D/nt) 
b. ^ D/nt) 

3.3.1. Imt /nt) 

3.3.2a. /nt) A [Type A (HRcv V IISnd)]yar => Inv' 

3.3.2a. 1 Inv A Type A HRcv Inv' 

3.3.2a.2 Inv A Type A HSnd => Inv' 

3. 3. 2a. 3 Inv A (var' = var) Inv' 
3.3.2b. Inv A [Type A{3i e Zn : HFtll{t) V HEmpty{t))]yar => Inv' 

3.4. $f = 

3.5. D/n^ A$hs ^ (WF(g,„„t)(S'nrf) = (V z e : WF„„,Ar(£mj9iy(z)))) 

3.5.1. D/nt) A <I>^^ => 

(V « e Zat : WF yarN{Empty{i))) = WFyarNi^ I e Zm ■■ Empty{t)) 

3.5.1.1. ^ Dp « e Zat : ra/(«) V Empty{i)]yarN 

3.5.1.2. A « e Zat 

A Next[gg, t) 
A 0(lnv A Type) 

A D[{3j e Zff : EzU{j) V Empty{j)) A ^Empty{i)]yarN 
nNext{gg, i) 

3.5.1.3. A eZM)A(i^j) 

A Enabled {Empty {i))yarN 
A 0(lnv A Type) 

A a[{3k e Zn : Eill{k) V Empty{k)) A ^Empty{i)]yarN 
□-! Enabled {Empty {]))yarN 

3.5.2. ninv AUType An[IIRcvy IISnd]yar => 

WF(g_o„t)(S'nc?) = WFyarN(3z e Zn : Empty(t)) 

3.5.2.1. Inv A Type A [HRcv V HSnd]yar => 

{Snd)i^g^out) = {3i e Zm ■■ Empty{i)) 

varN 

3.5.2.2. ninv A □ Type A n[HRcv V FS'nrfl^ar => 

00{Snd)(^g^out) = 00{3 I e Zm : Empty{i))) 

varN 

3.5.2.3 D/nt) A □ Type A □[_ffi?ct) V FS'nrfl^ar => 
□ O-i Enabled {Snd)(g out) = 

□ 0-iEnabled (3« e Zat : Empty {i)))yarN 
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B Proof of Lemma 1 



Lemma 1 If m £ M and i G Zj\[, then 

1. IsNext{Rep{m) , i) = {i = m mod N) 

2. IsNext{Rep{m), i) 

Rep{m + 1) = [Rep{m) EXCEPT ![«] = 1 - Rep{m)[i'\\ 

1. Rep(m + 1) = [Rep(m) EXCEPT ![m mod #] = 1 — Rep(m)[m mod #]] 

1.1. Case: (m + 1) mod 2# = (m mod 2#) + 1 
Proof: It suffices to prove that 

Rep{m + = if j = m mod N then Rep{m)[j] 

else I — Rep{m)[j] 

for any j G Zff. The proof follows. 

1.1.1. (j = m mod N) = (j = m mod 2N) V (j + N = m mod 2N) 
Proof: Simple number theory. 

1.1.2. If j = m mod N, then 

(j < 1 + (m mod 2N) < j + N) = -.(j < m mod 2N < j + N) 
Proof: Step 1.1.1 and simple arithmetic. 

1.1.3. If j m mod N then 

(j < 1 + (m mod 2N) < j + N) = (j < m mod 2N < j + N) 
Proof: Step 1.1.1 and simple arithmetic. 

1.1.4. Q.E.D. 

Proof: By 1.1.2, 1.1.3, and the definition of Rep. 

1.2. Case: (m + 1) mod 2# 7^ (m mod 2#) + 1 

Proof: The case assumption implies m mod 2N = 2N — 1, which implies 
Rep{m) = [i G Zff 1-^ if i = N — I then 0 else 1] 
Rep(m + 1) = [« e 1-^ 0] 

1.3. Q.E.D. 

Proof: Steps 1.1 and 1.2. 

2. IsNext{Rep{m), i) = (i = m mod N) 
The proof is by induction on m. 

2.1. Case: m = 0 

Proof: Rep{0) = [j e Zn ^ 0] and IsNext{Rep{0), i) = (i = 0), for 

I e Zu. 

2.2. Assume: IsNext{Rep{m), i) = [i = m mod N) 
Prove: IsNext{Rep{m + 1), «) = (« = m + 1 mod N) 

2.2.1. (« = m mod N) => {IsNext{Rep{m + 1), i) = ^IsNext{Rep{m) , i)) 
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Proof: t = m mod N implies IsNext{Rep{m + 1), «) 
= by definition of IsNext 

if « = 0 then Rep{m + 1)[0] = Rep{m + !)[#- 1] 
else Rep{m + 1)[«] 7^ Rep{m + 1)[« — 1] 

= by step 1 

if « = 0 then 1 - Rep{m)[0] = Rep{m)[N - 1] 
else 1 — Rep{m)[i] ^ Rep{m)[i — 1] 
= -I IsNext [Rep ['m),t) 

2.2.2. («-l = m mod N) => {IsNext{Rep{m+l), i) = -^IsNext{Rep{ 
Proof: « — 1 = m mod N implies IsNext{Rep{m + 1), «) 

= by definition of IsNext 

if « = 0 then Rep{m + 1)[0] = Rep{m + l)[N - 1] 
else Rep{m + 1)[«] 7^ Rep{m + — 1] 

= by step 1 

if « = 0 then Rep{m)[0] = 1 - Rep{m)[N - 1] 
else Rep{m)[i] 7^ 1 — -Re|)(m)[« — 1] 
= -I IsNext [Rep ['m),t) 

2.2.3. (« 7^ m mod #) A (« - 1 7^ m mod N) => 

IsNext[Rep[m + 1), «) = IsNext[Rep[m), i) 
Proof: The hypothesis implies IsNext[Rep[m + 1), «) 
= by definition of IsNext 

if « = 0 then Rep[m + 1)[0] = Rep[m + l)[N - 1] 
else Rep[m + 1)[«] 7^ Rep[m + — 1] 

= by step 1 

if « = 0 then Rep[m)[0] = Rep[m)[N - 1] 
else Rep[m)[i] 7^ Rep[m)[i — 1] 
= IsNext[Rep[m), i) 

2.2.4. Q.E.D. 

Proof: By 2.2.1-2.2.3 and the induction assumption. 
2.3 Q.E.D. 

Proof: By steps 2.1 and 2.2 and mathematical induction. 

3. Rep[m + 1) = [Rep[m) EXCEPT ![«] = 1 - Rep[m)[i]\ 
Proof: Immediate from steps 1 and 2. 

4. Q.E.D. 

Proof: Steps 2 and 3. 
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